It appears that at the end of the month I will be going to test a system that was missed by my co-workers. It's all part of a large effort, and these two servers were missed. One server is an Oracle Web Application Server, and one server is a MS SQL Server. I'm not too worried about the SQL Server, however, I've never tested an Oracle Web Application server. I could not find a SRR that would help, so I read through the Application Server STIG and parsed out the questions. I'm going to have to sit with an SME to guide me through finding the answers. Tedious at best. Of course, I'll also hit the server with nmap, and our new web vulnerability scanner, NTOSpider. I've never used NTOSpider.
So, if you have any pointers on either Oracle Web Application Server or NTOSpider, I would love to hear them.